AesKeyWrap ("Entrust Authority Security Toolkit for the Java Platform")

java.lang.Object
- javax.crypto.CipherSpi
- - com.entrust.toolkit.security.crypto.cipher.SymmetricBlockCipher
  - - com.entrust.toolkit.security.crypto.cipher.AesKeyWrap

```
public final class AesKeyWrap
extends SymmetricBlockCipher
```
An implementation of the AES key wrap algorithm, as defined in the AES Key Wrap Specification.
This algorithm uses the AES symmetric cipher to securely encrypt plaintext key(s) with any associated integrity information and data, such that the combination could be longer than the width of the AES block size (128 bits). It is capable of processing data blocks of 64 bits, using an AES key encryption key (KEK) of length 128, 192, or 256 bits.

An instance of this algorithm can be obtained using the Java Cryptography Architecture (JCA), by requesting an 'AESWrap' cipher from the Entrust cryptographic service provider. This can be done using the following call:

Cipher.getInstance("AESWrap", "Entrust");

Although this algorithm is implemented in the JCA as a cipher, it does not support a block mode (mechanism) or a padding mechanism as symmetric cipher implementation do. These concepts do not apply to key wrap algorithms.

The AES key wrap algorithm is designed to wrap or encrypt key data and unwrap or decrypt wrapped key data. The algorithm operates on blocks of 64 bits, and is capable of processing a value of any length, providing the value is a multiple of 64 bits in length. During wrapping, at least one block of data is required; during unwrapping, at least two blocks of data are required.

The AES key wrap algorithm can be configured to use any of the three key sizes supported by the underlying AES symmetric cipher. The choice of key size affects the overall security provided by the key wrap, but it does not alter the description of the key wrap algorithm.

This key wrap implementation accepts keys in 'RAW' format (software keys), or keys stored on cryptographic hardware devices and accessed via the PKCS#11 interface (PKCS#11 keys). A software-based AES key can be generated using the AES key generation algorithm (KeyGenerator.getInstance("AES, "Entrust")) or manually created using an appropriate Key implementation ( javax.crypto.spec.SecretKeySpec). A PKCS#11-based AES key can be created using the JNIPKCS11 class, and referenced using the TokenSymmetricKey class.

The algorithm uses an initial value (IV) to provide an integrity check on the key data. During wrapping, the IV is encrypted along with the key data, then, during unwrapping, the IV is decrypted along with the key data. If the recovered IV does not match what was expected, the key is not accepted as valid. By default, this implementation uses the default IV ( A6A6A6A6A6A6A6A6). However, a different IV can be configured by supplying an AesKeyWrapParameterSpec or an AesKeyWrapParameters during initialization. Currently, only IVs of length 64 bits are supported.

Note that a call to retrieve the algorithm parameters will return null if algorithm parameters were not explicitly set at algorithm initialization time. If parameters are not explicitly set, the default IV is still used, but is not returned by getParameters.

This class SHOULD NOT be used directly; it should only be used through the JCA/JCE.

FIPS 140-2:

This class is part of the Toolkit's FIPS 140-2 cryptographic module and contains APIs that are considered part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; refer to the API documentation for further details

Since:

7.2

See Also:
AES Key Wrap Specification, AesKeyWrapParameterSpec, AesKeyWrapParameters

Constructor Summary

Constructors
Constructor and Description

AesKeyWrap()
The constructor; creates a new instance of the AES key wrap algorithm.

Constructors
Constructor and Description
`AesKeyWrap()` The constructor; creates a new instance of the AES key wrap algorithm.

Method Summary

Methods
Modifier and Type	Method and Description
`protected void`	`engineSetMode(java.lang.String mode)` This method is not supported for key wrap algorithms; with key wrap algorithms, a mode of operation is not applicable.
`protected void`	`engineSetPadding(java.lang.String padding)` This method is not supported for key wrap algorithms; with key wrap algorithms, a padding mechanism is not applicable.

Methods inherited from class com.entrust.toolkit.security.crypto.cipher.SymmetricBlockCipher
engineDoFinal, engineDoFinal, engineGetBlockSize, engineGetIV, engineGetKeySize, engineGetOutputSize, engineGetParameters, engineInit, engineInit, engineInit, engineUnwrap, engineUpdate, engineUpdate, engineUpdateAAD, engineWrap

Methods inherited from class javax.crypto.CipherSpi
engineDoFinal, engineUpdate, engineUpdateAAD

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - AesKeyWrap
```
public AesKeyWrap()
```
    The constructor; creates a new instance of the AES key wrap algorithm.
    Applications should never use this constructor, instead the key wrap algorithm should be requested from the appropriate JCA/JCE cryptographic service provider as follows: Cipher.getInstance("AESWrap", "Entrust").
    FIPS 140-2:
    
    FIPS Service: Modify Object
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call)
    
    status output interface (exceptions)
- Method Detail
  - engineSetMode
```
protected final void engineSetMode(java.lang.String mode)
                            throws java.security.NoSuchAlgorithmException
```
    This method is not supported for key wrap algorithms; with key wrap algorithms, a mode of operation is not applicable.
    FIPS 140-2:
    
    FIPS Service: Modify Object
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call, parameters)
    
    status output interface (exceptions)
    Overrides:
    
    engineSetMode in class SymmetricBlockCipher
    
    Parameters:
    mode - [FIPS 140-2 control input] ignored
    
    Throws:
    
    java.security.NoSuchAlgorithmException - [FIPS 140-2 status output] always thrown
  - engineSetPadding
```
protected final void engineSetPadding(java.lang.String padding)
                               throws javax.crypto.NoSuchPaddingException
```
    This method is not supported for key wrap algorithms; with key wrap algorithms, a padding mechanism is not applicable.
    FIPS 140-2:
    
    FIPS Service: Modify Object
    
    This API is part of the logical interface to the Toolkit's FIPS 140-2 cryptographic module; use of this API causes the caller to assume the FIPS 140-2 user role and accesses the following FIPS 140-2 logical interfaces:
    
    control input interface (API call, parameters)
    
    status output interface (exceptions)
    Overrides:
    
    engineSetPadding in class SymmetricBlockCipher
    
    Parameters:
    padding - [FIPS 140-2 control input] ignored
    
    Throws:
    
    javax.crypto.NoSuchPaddingException - [FIPS 140-2 status output] always thrown

Class AesKeyWrap

Constructor Summary

Method Summary

Methods inherited from class com.entrust.toolkit.security.crypto.cipher.SymmetricBlockCipher

Methods inherited from class javax.crypto.CipherSpi

Methods inherited from class java.lang.Object

Constructor Detail

AesKeyWrap

Method Detail

engineSetMode

engineSetPadding